The Information Commissioner has been considering the emerging practice of insurance companies obtaining medical records by using patients’ subject access rights.

We recognise that insurance companies may have a genuine need to review medical information about its customers when providing policies like life and critical illness cover.

To enable this, the Access to Medical Reports Act 1988 gives insurance companies a clear and established legal route to access medical information. The Act also gives appropriate safeguards to patients and respects the confidential relationship between a GP and their patient. Under the Act, a GP can provide a tailored report to an insurer, with their patient’s consent, setting out only the information the insurer needs.

However, some insurance companies have instead been looking to rely on the subject access right given to consumers under the Data Protection Act in order to obtain medical records, rather than a tailored GP’s report.

A subject access request gives an individual the right to ask for all of the personal information an organisation holds about them. This is a powerful right, designed to ensure individuals can access information held about them within a specified time period and at a nominal cost. This right was not designed to underpin the commercial processes of insurers.

By making a subject access request on a patient’s behalf, an insurance company may be provided with a patient’s entire medical record, including information that is not relevant for the purpose of underwriting a policy.

The ICO has recently written to the insurance industry to explain that we consider that the use of subject access rights in this way is inappropriate and an abuse of that right.

We also have concerns that the processing of medical records by insurers once received from GPs is likely to breach the Data Protection Act.

We will be speaking to the insurance sector further to ensure that future use of medical records is in line with the law.

Patients continue to be able to make subject access requests to their GP.

GPs have ethical obligations around how patient records are shared, and we advise GPs to explain to patients, in broad terms, the implications of making a subject access request so they can make a more informed decision on whether they wish to exercise their rights under the Data Protection Act. We also recommend GPs share any responses to subject access requests directly with patients, rather than to insurance companies.

Contrary to comments made by the British Medical Association, GPs must still respond to subject access requests, in accordance with the guidance published on our website. The right to see personal information held about you by an organisation is an important one, and one from which GPs are not exempt. We will be speaking with the British Medical Association again to further clarify this.